“Millions of Windows users run the OS with an administrator account because Microsoft’s never made it easy to do anything different. In fact, you have to work a lot harder to run with fewer rights. Microsoft will push Vista as the solution to the ever-increasing number and ingenuity of attacks. But why wait? With our five strategies, you can give Windows XP a taste of Vista’s UAC protection.”
Interesting that they’d miss the best (IMHO) option out there when considering time and money.
RunAsAdmin explorer shim is great, once you install it all of your programs launch in a limited security context, but you have the option of running applications in admin mode (the ones that need it).
I recommend the 2.0 beta release, its actually quite solid and integrates with windows explorer well.
http://sourceforge.net/project/showfiles.php?group_id=127612
Edited 2006-07-30 16:02
RunAsAdmin explorer shim is nifty… First you drop everyone’s rights by providing USER group membership only to domain users then (trust issues aside) users can elevate priv’s on their business apps that don’t comply with LUA/UAC.
Seems RunAsAdmin doesnt like control panel applets with the exception of compmgmt.msc (where a short cut of the applet is on the desktop and right click to elevate priv’s).
Thanks Bit_Rapist!
1. Download FreeBSD/Linux.
1. Download FreeBSD/Linux.
Wow, thanks! You know, I had never considered that. Thanks for the blinding flash of the obvious, Sherlock!
But for those of you for whom the solution of Linux/Mac doesn’t work and you absolutely need Windows for one reason or the other, do the following:
1. Don’t use Internet Explorer. Use Opera or Firefox instead
2. Have some kind of firewall running (even a $30 hardware router should do the trick if you don’t want one running in the background)
3. A free anti-virus program such as AVG. Though you don’t have to run this resident, you better be damn careful about scanning everything you download if you don’t.
4. Use a little common sense about what you download. If it promises you naked pics of Britney Speaers or more smileys for your IM/email, it’s probably bad news.
Do the above and you have just eliminated 99% of security issues in Windows. Of course, there’s still a remote chance that somebody could hack into your machine (just like somebody could break into a locked car while you’re in a shopping mall), but if you’re the average Joe User and not running a high-profile server, you shoudl be fine with this.
‘But why NOT run as limited user, you say?’ Because I’ve been doing the above for the last 6 years or so and have never had a problem. Why do more than is actually necessary?
BTW: I’ve never heard of the process manager program .. will definitely check it out.
Edited 2006-07-30 16:42
Wow, man, it’s a joke. Calm down.
Man the moderation Nazis our completely out of control on this site. It was a freakin joke guys, get over it. Probably just hurts that even though it’s a joke, there is some serious truth to Leth’s comment.
Mod this
Windows troubleshooting steps:
1.Restart
2.Reboot
3.Reload
4.RedHat
Man the moderation Nazis are completely out of control on this site.
+1 from me…
Good one!
You mean I can get this “symbolic link” technology that Vista leverages, right now?
But in all seriousness, it’s good to see Microsoft deploying these security measures by default, and users wanting them. Sadly they should have done this long ago, and not make their users jump through hoops to attain average security.
I.m nott 100% shore, but this tool worked gfor me ehen i was on windows a year ago http://www.sysinternals.com/Utilities/Junction.html
Some limitations: you can omly symlink within the sam patition/or was it disk(as in pysical disk) (man I forget quickly), and no GUI (well not a biggie)
The first thing that struck me was how swiftly Option 1 was dismissed. I’d say the effort involved in familiarizing yourself with the tools mentioned in later Options is just as much effort as migrating to a non-admin account.
Of course, I wouldn’t think of doing this on an already-lived-in install; yes, doing it this way will bring many headaches. So simply do it on a fresh install of Windows – if you’re unaccustomed to doing this on a twice-yearly basis, your system is likely a thing of misery already. If you care about your program configs, you’ll already know how to backup and restore them. Then you can clean-install Windows, install the apps as Admin, then settle down to using them as Limited User. It’s really not hard!
They didn’t get the app installation point across at all well, IMHO. Of *course* you won’t have much luck installing programs as a Limited User – they usually prefer to install into locations that Limited Users can’t accidentally delete and LU-initiated malware can’t corrupt. Funny, that :S
I’d have liked them to mention that if a multi-user program installed by the Admin doesn’t work correctly for Limited Users, then it’s *poorly-designed*. I’m all for shaming developers [*cough*Symantec*cough*] that commit such errors.
Bottom line: running your whole login session as a Limited User is hugely safer than just doing so with your browser and other chosen apps. That said, the ‘drop my rights’ solutions presented here are certainly better than nothing, and kudos for giving them a bit of welcome publicity.
Symantec apps are system-level utilities, by and large… it makes sense for them to be admin-only (except maybe for antivirus).
I think the reason that Windows goes admin by default is a pretty reasonable one: for a single-user workstation it really isn’t worth it to have a separation of privileges as long as the user is reasonably judicious in what he or she installs. People were more or less just fine with Windows 95 (except for the inherent instability in the OS) because the market for malicious programs was a lot smaller. I don’t run AV and I run as admin for convenience, and I have no viruses (as reported by the once-yearly scan I do with AV and Rootkit Revealer) because I have an idea of what is good and what is harmful. And nothing beats the convenience of being able to access your whole computer the whole time without having to elevate your privileges.
And the only times I ever reinstall OSes on my computers are when the disk fails or when I’m upgrading to new versions. (Or when I was trying a new linux distro, but that didn’t affect my Windows installs)
Commonsense does go a long way I agree, and 99% of the time your methods would be adequate for me too, I reckon. But I still don’t trust myself not to be suckered eventually by some clever enough bit of social engineering or trickery.
Just to outline my beef with Symantec, it was indeed the Antivirus that caused the problem. It can’t update under non-Admin, not even as a System-initiated scheduled task. Yes, it should generally be running as Admin and not tinkerable while running by non-Admins, but updates don’t have to be an interactive process. Most other Antivirus vendors have grasped this.
The first thing that struck me was how swiftly Option 1 was dismissed. I’d say the effort involved in familiarizing yourself with the tools mentioned in later Options is just as much effort as migrating to a non-admin account.
I was using “Limited accounts” for about 8 months, starting from a fresh installation. You won’t believe the number of headaches I had, from “small” problems like Start menu entries not showing up, or having to go and fix the location of configuration files originally in “Program files”, to having to install programs in “My Documents” in order for them to work, or just *having* to run a program as admin or it won’t work at all.
I also tried all the “sudo” like programs in the market, I didn’t find something comfortable enough.
Finally, I gave up, switched accounts to Administrator and crossed my fingers. Everything is so much smoother now!
The problem is that, say, 70% of Windows apps are broken for Limited accounts/Multiple accounts. (including many popular ones). The 2 simple things that would fix most of them:
1) store per user configuration in the user’s home folder (%USERPROFILE\Application Data), not in a global location (Program files\App name)
2) by default, store menu entries in “Documents and Settings\All users”, not under the account who installs the program.
These apps are written with a Windows 95 -or worse, DOS – mindset: single user, omnipotent and lack the tiny drop of Unix common sense.
I hope Vista will convince Windows developers to think NT, not DOS…
Edited 2006-07-30 19:31
The problem is that, say, 70% of Windows apps are broken for Limited accounts/Multiple accounts. (including many popular ones).
Dead on i would say.For example take the majority on online games with punkbuster.Most people play online as admin because otherwise the anti cheat software complains and kicks you from the server.
What is the use of all the protection in that case i ask myself.
What about those online games with punkbuster, that run on FreeBSD/Linux/OSX? Only time I got kicked by punkbuster was when the pb settings became outdated and I had to manually download the new ones.
What about those online games with punkbuster, that run on FreeBSD/Linux/OSX?
Never had any problems running punkbuster monitored games on FreeBSD/Linux/OSX ,exept when due to my own fault punkbuster was outdated.
Edited 2006-07-31 11:45
I similarly changed to a limited account several months ago and as the article mentions had some problems.
Modifying several folder paths under HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShellFolders in the registry got me any missing folders/files/settings back. Also setting the start menu to “all users” under the admin account will mean all users will see installed programs.
1) store per user configuration in the user’s home folder (%USERPROFILEApplication Data), not in a global location (Program filesApp name)
2) by default, store menu entries in “Documents and SettingsAll users”, not under the account who installs the program.
I came across this problem as well. Some programs would complain about not being to update config files unless I gave access to that file to the limited user account. It’s unfortunate that more applications don’t take advantage of the (%USERPROFILEApplication Data) directory instead of using the program directory or the registry.
I created shortcuts for Nero, Services.msc, cmd.exe, and an explorer replacement with the following: runas.exe /user:x /savecred which allows me to start those apps as admin.
It’s a bit more cumbersome running as a limited account but I hope that the effort will pay off.
I probably exaggerated a bit in my original post – there are a lot of pitfalls and things to work out, which maybe I didn’t feel as acutely as others might. That’s because, before I started, I’d located two invaluable guides that provided much of the know-how in the planning stage: nonadmin.editme.com and Aaron Margosis’s blog on MSDN. Having a good resource makes all the difference.
When I read this article I could not help but chuckle a little.
It wasn’t at the article but at my knowledge of windows users here in Goober Gulch, New Mexico. I’m sure it’s a sampling of the larger population within the U.S. and the globe in general.
My personal opinion is that windows should have been secure in the first place back when it was migrated from 3.1 to 95 to NT to XP, etc.
Hind site is twenty-twenty and rather expensive.
We really should not be discussing `basic` security on an OS in 2006. I guess that’s the difference between the `ideal` and the `real` of windows.
It’s nice to see the system moving forward and introducing a stricter model of security. I’m not sure the average windows user will like the consequences of applying strict system and file permissions.
I used to make good money cleaning and repairing windows systems. I found users never liked the idea of actually using an administrator account or the `super user` Run As command.
The reason millions of windows users run the OS with an administrator account is the core fault of the manufacturer. They `should` have an administrator and elevated user creation as-well-as an explanation of the reason behind it in the initial build or install.
Oh well, I guess this news to the windows folk but rather old hat to us in the BSD, Linux, and *nix world.
BTW: I’ve never heard of the process manager program .. will definitely check it out
Process Lasso will do the job better than Taskmanager or CLI kill
http://www.bitsum.com/ProSuper.asp
All nice and good but i prefer the good old ghost image.
No more install festivals,only one single activation.Hardly any “bad boy” survives.
Why don’t they use Unix type rights (ugo)? It is high time they removed the difficult to grasp user creation settings and inject some simplicity in it. And also abolish the concept of registry. It is one of the most complex thing I have ever seen.
The primary reason I switched from windows to linux was because I found *nix much more simpler to configure and use.
Microsoft has a history of thriving in complexity. To get their developer products more embraced, they should think about simplyfying everything.
You just can’t please all of the people. Back when everyone KNEW Unix and VMS are the only serious OS choices for department- and enterprise-level computing, refugees from other OSes used to complain about features in their old systems that were missing in Unix. Extremely complicated rights systems a la Windows were one of them. Now of course, ECRS’s have come to Linux courtesy SELinux, AppArmor &c.
…is the fifth statement.
You have a Mac. Right, a Mac. Personaly I don’t. But, if I had one, I would not install Parallels to install XP to do what? Browse the web…
Oh no, sorry: it’s to get Vista security.
Seriously?
Sigh…. Yet again…..
Those who do not understand Unix are condemned to reinvent it, poorly.
— Henry Spencer
A 6th way: a recent topic called “Application-Level Virtualization for Windows” (http://www.osnews.com/comment.php?news_id=15214) mentions several applications, including Sandboxie (which has a free version, yet says it “reminds occassionally to be registered”, for cheap). Vista will have some similar functionality, so this is a 6th way (which should actually come before the Mac way). Of course, it isn’t convenient to use for all programs, but it is for many. I think this should have really been in the article.